Launchpad has imported 16 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=667187.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-01-04T18:56:33+00:00 nuh wrote: Description of problem: If a NULL UDP packet is sent to the avahi port 5353 it triggers and infinite loop with all the expected goodies, 100% CPU usage and DOS of avahi. This is due to the fix for bug 607297 ( https://bugzilla.redhat.com/show_bug.cgi?id=607297 ). You can re-open that bug and fix it with something that clears the null message from the socket before going to fail or you can keep this as a separate bug. Version-Release number of selected component (if applicable): all versions of avahi >0.6.24 Steps to Reproduce: Send a null UDP packet to avahi on port 5353. I personally use Scapy but anything will work. Actual results: Infinite loop. Expected results: Packet discarded. Additional info: In avahi_recv_dns_packet_ipv4 the bug fix: if (!ms) goto fail; Doesn't clear out a Null message from the socket before returning. This is reason for the infinite loop. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/0 ------------------------------------------------------------------------ On 2011-01-04T19:49:13+00:00 nuh wrote: I have added this bug as a ticket to the avahi tracking system, #325. http://avahi.org/ticket/325 Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/1 ------------------------------------------------------------------------ On 2011-02-18T22:52:37+00:00 Lennart wrote: This has been fixed upstream now. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/5 ------------------------------------------------------------------------ On 2011-02-22T18:23:45+00:00 Josh wrote: MITRE is calling CVE-2011-0634 a dupe of CVE-2011-1002. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/6 ------------------------------------------------------------------------ On 2011-02-22T18:49:03+00:00 nuh wrote: CVE-2011-0634 was a candidate for this issue first but never added as an alias for this bug. Someone applied for CVE-2011-1002 recently and added it as an alias for the bug so I added the original CVE-2011-0634. I was going to release a test tool with a full-disc for this bug using CVE-2011-0634 but I wanted it patched first. I apologize for the confusion, in the future I will add the CVE right away. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/7 ------------------------------------------------------------------------ On 2011-02-23T16:44:10+00:00 Jan wrote: Moving this bug to Security Response product, to properly track the issue. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/8 ------------------------------------------------------------------------ On 2011-02-23T16:47:03+00:00 Jan wrote: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1002 to the following vulnerability: avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002 [2] http://openwall.com/lists/oss-security/2011/02/18/1 [3] http://openwall.com/lists/oss-security/2011/02/18/4 [4] http://avahi.org/ticket/325 [5] http://git.0pointer.de/?p=avahi.git;a=commit;h=46109dfec75534fe270c0ab902576f685d5ab3a6 [6] http://www.securityfocus.com/bid/46446 [7] http://secunia.com/advisories/43361 Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/9 ------------------------------------------------------------------------ On 2011-02-23T16:48:49+00:00 Jan wrote: As noted above, the CVE-2011-0634 identifier has been rejected with the following explanation: Name: CVE-2011-0634 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0634 [Open URL] Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20110120 Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1002. Reason: This candidate is a reservation duplicate of CVE-2011-1002. Notes: All CVE users should reference CVE-2011-1002 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/10 ------------------------------------------------------------------------ On 2011-02-23T17:48:33+00:00 Jan wrote: This issue affects the versions of the avahi package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the avahi package, as shipped with Fedora release of 13 and 14. Please schedule an update. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/11 ------------------------------------------------------------------------ On 2011-02-23T17:49:29+00:00 Jan wrote: Created avahi tracking bugs for this issue Affects: fedora-all [bug 679861] Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/12 ------------------------------------------------------------------------ On 2011-03-04T22:24:37+00:00 Vincent wrote: Because avahi is used for local network broadcast messages (local network service discovery), it should be AV:A, not AV:N. It also is low impact, not moderate impact, as a result. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/13 ------------------------------------------------------------------------ On 2011-03-14T17:29:35+00:00 Tomas wrote: I'm going to keep this at impact=moderate to have a consistent rating with what was used for CVE-2010-2244, even though it's borderline issue. The fix is to be included in the already planned avahi updated in 6.1. Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/14 ------------------------------------------------------------------------ On 2011-03-14T17:45:13+00:00 Tomas wrote: Upstream git commit, noted for future reference: http://git.0pointer.de/?p=avahi.git;a=commitdiff;h=46109dfec75534fe270c0ab902576f685d5ab3a6 Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/15 ------------------------------------------------------------------------ On 2011-04-12T18:09:33+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0436 https://rhn.redhat.com/errata/RHSA-2011-0436.html Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/17 ------------------------------------------------------------------------ On 2011-05-19T11:09:53+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0779 https://rhn.redhat.com/errata/RHSA-2011-0779.html Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/18 ------------------------------------------------------------------------ On 2011-05-19T14:28:30+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0779 https://rhn.redhat.com/errata/RHSA-2011-0779.html Reply at: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/712844/comments/19 ** Changed in: avahi (Fedora) Status: Unknown => Fix Released ** Changed in: avahi (Fedora) Importance: Unknown => Medium ** Bug watch added: Red Hat Bugzilla #607297 https://bugzilla.redhat.com/show_bug.cgi?id=607297 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0634 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1002 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2244 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/712844 Title: null UDP packet triggers an infinite loop To manage notifications about this bug go to: https://bugs.launchpad.net/avahi/+bug/712844/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
